You've come to this page because you've asked why the senders of Unsolicited Bulk Mail are able to relay their mail through your SMTP Relay server, and, upon testing, the dialogue with your SMTP Relay server has looked something like this:
220 rackmount.breinerlogistics.com ESMTP EHLO 0 250-rackmount.breinerlogistics.com 250-AUTH=LOGIN 250-PIPELINING 250 8BITMIME AUTH LOGIN 334 VXNlcm5hbWU6 piddle 334 UGFzc3dvcmQ6 piddle 235 go ahead
This is the Frequently Given Answer to that question.
You are employing an smtp-auth extension to stock qmail of some sort, but you haven't configured it in the manner that is described in its documentation. As a consequence, your SMTP Relay server is promiscuous.
In the case of Krzysztof Dabrowski's smtp-auth patch, you have forgotten the required hostname argument to qmail-smtpd. This means that instead of invoking qmail-smtpd as
you are invoking it as
qmail-smtpd hostname /bin/checkpassword /bin/true
and as a consequence qmail-smtpd is taking your hostname to be "/bin/checkpassword" and your password checking program to be "/bin/true". Because /bin/true always exits with a zero status, you are telling qmail-smtpd that all user+password combinations are succeeding.
qmail-smtpd /bin/checkpassword /bin/true
The senders of Unsolicited Bulk Mail have taken to scanning for SMTP Relay servers that allow any user+password combination, and using them to relay unsolicited bulk mail.